Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to write base query to get all the fields from below three multiple logs

shruti14
Explorer
‎02-07-2022 07:08 AM

Hi , I have to get the below fields extracted from these three logs to create visulisation: Fields i am interested:

Event_log type,originator_username,object,username,destination,bucket_name,time,type

 

I have written this regex to create parser but i am not getting all the fields while writing base serach:

^(?:[^ \n]* ){2}(?P<event_log>\w+\s+[a-z_-]+)(?:[^ \n]* ){2}\{"originator_username"\:(?P<originator_username>.[a-z]+")\,"object"\:(?<object>.[a-z]+)[^,\n]*,"extra"\:\{(?P<extra>.[a-z]+)":[^,\n]*(?:[^,\n]*,){6}"time"\:(?P<time>\w+),(?:[^,\n]*,){2}"type"\:(?<type>.[a-z_]+[a-z])"}

 

2022-01-23 10:19:47,140 WARNING event_log EventLog: {"originator_username":"abc","object":"cluster","extra":{"username":"admin"},"object_type":"cluster","originator_uid":0,"time":164287087,"throttled_event_count":1,"obj_uid":null,"type":"failed_authentication_attempt"}

2022-01-23 07:24:05,479 INFO event_log EventLog: {"originator_username":"abcef","object":"bdb:1","extra":{"destination":{"bucket_name":"dbabucket","type":"s3","subdir":"radar2","filename":""}},"object_type":"bdb","originator_uid":0,"time":164767765,"throttled_event_count":1,"obj_uid":"1","type":"backup_succeeded"}

2022-01-23 07:15:00,294 INFO event_log EventLog: {"originator_username":"adminstrator","object":"bdb:1","object_type":"bdb","originator_uid":0,"time":1642788100,"throttled_event_count":1,"obj_uid":"1","type":"backup_started"}

 

Can anyone help me what neededd to be fix in regex so i can get all the needed field extracted for base search.

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-07-2022 08:42 AM

You could extract the JSON and use spath

| rex "(?<log>\{.*\})"
| spath input=log
0 Karma
Reply

shruti14
Explorer
‎02-07-2022 08:43 AM

Hi, 

But these logs are not in json format, i.e why i have to parse them manually by writing regex

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-07-2022 08:47 AM

The examples you gave have JSON strings at the end which I extracted with the rex before using spath. Are you trying to extract at indexing time or search time?

0 Karma
Reply

shruti14
Explorer
‎02-07-2022 08:49 AM

I want to extract them at indexing time. So I want to get these field extracted during the index so i get the fields created and then create base search to build dashboards for visualisation. 

The logs are not in regular json format .

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-07-2022 09:27 AM

Does this help?

^(?:[^ \n]* ){2}(?P<event_log>\w+\s+[a-z_-]+)(?:[^ \n]* ){2}\{"originator_username"\:(?P<originator_username>"[^"]+")\,"object"\:(?<object>"[^"]+")[^,\n]*,("extra"\:\{(?P<extra>.[a-z]+)":[^,\n])*(?:[^,\n]*,)+"time"\:(?P<time>\w+),(?:[^,\n]*,){2}"type"\:(?<type>.[a-z_]+[a-z])"}
0 Karma
Reply

shruti14
Explorer
‎02-07-2022 09:52 AM

Yeah it is almost there is there way we can get username and destination also extracted as fields since they also have value i mean this regex gives extra field with value as username and destination but if you can see i have username :admin and destination as bucket name does that further breakage is possible ?

username: admin

"destination":{"bucket_name":"dbabucket","type":"s3","subdir":"radar2","filename":""}}

But yes the regex shared by you is really helpful and i understood what mistake i am doing  thanks ITWhisperer

 

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...